Read Paper (in PDF)
Mary Ellen Zurko, Charlie Kaufman, Katherine Spanbauer, and Chuck Bassett
IBM Software Group
USA
Designers are often faced with difficult tradeoffs between easing the user's burden by making security decisions for them and offering features that ensure that users can make the security decisions that are right for them and their environment. Users often do not understand enough about the impact of a security decision to make an informed choice. We ran a point study in a 500-person organization on the security of each user's Lotus Notes client against unsigned active content. We found that the default configuration of the majority of users did not allow unsigned active content that was received in an email message to run. However, we found that when presented with a choice during their work flow, many of those otherwise secured users would allow unsigned active content to run. We discuss the features that are in the current and next versions of Lotus Notes that provide security for active content and that respond to the usability issues from this study.
Keywords: security, usability, active content, application design, Lotus Notes